Title: Lecture 27: Secure Coding
1Lecture 27 Secure Coding Wrap Up
2Saltzer Schroeder Seven Design Principles
- Least Privilege
- Economy of Mechanism
- Complete Mediation
- Open design
- Separation of privilege
- Least Common Mechanism
- Psychological acceptability
31988 Morris Internet Worm
- fingerd.c
- char line512
-
- line0 \0
- gets(line)
- Results in 6,000 computers being infected.
4Fingerd bug fix
- line0 \0
- gets(line)
- Becomes
- memset(line,0,sizeof(line))
- fgets(line,sizeof(line),stdin)
5Miller, Fredrickson So
- 1990, An Empirical Study of the Reliability of
Unix Utilities - 1995, Fuzz Revisited
- 2000, Windows NT Fuzz Report
61990 Fuzz Findings
- Between 25 and 33 of Unix utilities crashed or
hung by supplying them with unexpected inputs - End-of-file in the middle of an input line
- Extra-long input
- Letters for numbers, etc.
- In one case, the entire computer crashed.
71995 Fuzz Revisited
- Vendors not overly concerned about bugs in their
programs - Many of the bugs discovered (approximately 40)
and reported in 1990 are still present in their
exact form in 1995. - Code was made freely available via anonymous FTP
- Exact random data streams used in testing were
made available - 2000 copies of the tools were downloaded from FTP
- It is difficult to understand why a vendor would
not partake of a free and easy source of
reliability improvements
81995 Fuzz Revisited, cont.
- Lowest failure rates wee for the Free Software
Foundations GNU utilities (7) - FSF had strict coding rules that forbid the use
of fixed-length buffers. - Many X clients would readily crash when fed
random streams of data
92000 Fuzz against NT
- 45 of all programs expecting user input could be
crashed - 100 of Win32 programs could be crashed with
Win32 messages - LRESULT CALLBACK
- w32_wnd_proc (hwnd, msg, wParam, lParam)
-
- . . .
- POINT pos
- pos (POINT )lParam
- . . .
- if (TrackPopupMenu((HMENU)wParam,
- flags, pos-gtx, pos-gty, 0, hwnd,
- NULL))
- . . .
-
10Fuzz Today
- eEye Digital Security does network fuzz testing
- http//www.eeye.com/
- Most remote crashes can be turned into remote
exploits - Retina Vulnerability Scanner
11Morris Worm II
- Exploited Sendmails WIZ and DEBUG commands
- Cracked passwords
- Caused havoc by hyper-replication (common
problem)
12Avoiding Security-Related Bugs
- Avoid bugs in general
- Test with non-standard input
- Look for back doors
- (theoretically impossible to do perfectly)
13Design Principles
- Carefully design the program before you start.
- Remember you will either design it before you
start writing it, or while you are writing it.
But you will design it. - Document your program before writing the code.
- Make critical portions of the program as small as
possible. - Resist adding new features. The less code you
write, the less likely you are to introduce new
bugs.
14Design Principles 2
- Resist rewriting standard functions. (Even when
standard libraries have bugs.) - Be aware of race conditions
- Deadlock conditions More than one copy of your
program may be running at the same time! - Sequence conditions Your code does not execute
automatically! - Do not stat() then open()
- Do not use access()
- Write for clarity and correctness before
optimizing.
15Coding Standards
- Check all input arguments. Always.
- Check arguments you pass to system calls
16Return Codes
- Check all system call returns.
- fd open(filename,O_RDONLY) can fail!
- read(fd,buf,sizeof(buf)) can fail
- close(fd) can fail!
- Use perror(open) or err(1,open failed) to
tell the user why something failed. - Log important failures with syslog()
17File Names
- Always use full pathnames
- Check all user-supplied input (filenames) for
shell metacharacters - If you are expecting to create a new file, open
with O_EXCLO_CREAT to fail if the file exists. - If you are expecting an old file, open with
O_EXCL to fail if it does not exist.
18Temporary Files
- Use tmpfile() or mkstemp() to create temporary
files - FILE ftmpfile(void)
- int fd mkstemps(char template, int
suffixlen) - Never use mktemp() or tmpnam()
19Functions to avoid
Avoid Use instead
gets() fgets()
strcpy() strncpy()
strcat() strncat()
sprintf() snprintf()
vsprintf() vsnprintf()
20Coding Standards 2
- Check arguments passed to program via environment
variables - e.g., HOME, PAGER, etc.
- Do bounds checking on every variable.
- If a variable should be 0..5, make sure it is not
-5 or 32767 - Check lengths before you copy.
21Coding Standards
- Use assert() within your program.
- j index(buf,)
- assert(jgt0)
22Coding Standards
- Avoid C functions that use statically-allocated
buffers - These are the rules for multi-threaded coding as
well! - dont use
- struct tm
- localtime(const time_t clock)
- Use
- struct tm
- localtime_r(const time_t clock,
- struct tm result)
23Logging
- Design your logs to be parsed by a computer
- Using syslog() if possible.
- Include a heartbeat log
24RFC 1750 Randomness Recommendations
- Keep seeds for RNGs secret!
- Dont seed with
- Time of day
- Serial number
- Ethernet address
- Beware using
- Network timing
- Random selections from databases
- Use
- Analog input devices (/dev/audio)
- Never use rand()
25Passwords
- Store the hash of passwords and a salt, not the
passwords themselves - Also store
- Date password was changed
- of invalid password attempts
- Location of invalid password attempt
- Dont restrict password character set
- Try flipping password case (just to be nice)
26Limit Privilege
- Limit access to the file system
- chroot() and jail() under Unix
- Restrict use of C compiler
27Programs that need privilege (SUID/SGID/Admin)
- Dont do it. Most of the time, its not
necessary (Wood Kochan, Unix System Security,
1985) - Dont use root or Administrator privs when you
can create a specialty group. - Use permissions as early as possible to open
files, etc., then give up the privs. - Avoid embedding general-purpose command
languages, interfaces, etc., in programs that
require privilege - Erase execution environment (PATH, etc.) and
build from scratch - Use full path names
28Tips for Network Programs
- Do reverse lookups on all connections
- Include load shedding or load limiting
- Include reasonable timeouts
- Make no assumptions about content of input data
- Make no assumption about the amount of input
- Call authd if possible --- but dont trust the
results
29More Network Tips
- Use SSL if at all possible.
- Include support for using a proxy
- Build in graceful shutdown
- From signals
- From closed network pipes
- Include self recognition so that more than one
copy of the server doesnt run at the same time. - Try not to create a new network protocol
- Dont hard-code port numbers
- Dont trust privileged ports, IP source
addresses - Dont send passwords in clear text.
30Web-based Applications
- Validate all information from the client
- Dont trust the content of HIDDEN fields
- Verify Cookies
- Digitally sign or MAC all information
- Use prepared SQL statements
- Never sprintf(s,select where
usernames,username) - Always select where username?
31Programming Languages
- Avoid C, C if possible
- Use perls tainting feature (-T)
- Be careful with Javas class loader
- Be careful with eval()
- perl
- python
- shell
32Things to avoid
- Dont provide shell escapes in interactive
programs - Be very careful with system() and popen() calls
- Do not create files in world-writable directories
- Use setrlimit() to avoid dumping core
33Before you Finish
- Read though your code
- How would you attack your own code?
- What happens if it gets unexpected inputs?
- What happens if you place a delay between system
calls? - Test your assumptions
- Run by root. Run by nobody
- Run in a different directory
- What is /tmp or /tmp/root doesnt exist?
34Testing
- Test with a testing tool
- tcov (SVR4)
- gcov (GNU)
- Commercial Testing tools
- CodeCenter
- PurifyPlus
35More testing
- Stress Test
- Low memory
- Filled disk
- Test Missing DLLs
- Internet Explorer fails open if msrating.dll is
not installed - Monitor all reads writes
- Holodeck (Windows)
- dtrace (Solaris)
36Code Review
- Walk through your code with another competent
programmer - Simply putting your code on the Internet is not
the same as having it reviewed!
37Famous Open-Source Problems
- Kerberos random number generator
- Sendmail DEBUG and WIZ
- fingerd
- Others (from class)
- Hylafax program
- NNTPcache
38Class Wrap Up
39What did we learn?
- Security by itself is a meaningless concept.
- What is being secured?
- Who or what is it being secured from?
- What are the other tradeoffs that security
decisions are forcing?
40Security is not a goal in itself
- Cant secure everything
- Security perimeter
- Secure against specific attacks
- Secure systems must be usable as well
- Security to the exclusion of other goals isnt
useful either
41Security and Privacy Policy
- Need to have a written policy for
- What users/customers are allowed to do
- What is expected from users
- What organization is allowed to do
- Policy is informed by
- Law
- Local practice
- Custom
42Security and Usability Policy
- Swat boxes dont work
- Eternal Vigilance is hard
- Better to have a system that allows you to ask
for forgiveness - Undo as a security principle
- Doesnt work well for all users.
43Fair Information Practices
- 1. There must be no personal data record-keeping
systems whose very existence is secret. - 2. There must be a way for a person to find out
what information about the person is in a record
and how it is used. - 3. There must be a way for a person to prevent
information about the person that was obtained
for one purpose from being used or made available
for other purposes without the person's consent. - 4. There must be a way for a person to correct or
amend a record of identifiable information about
the person. - 5. Any organization creating, maintaining, using,
or disseminating records of identifiable personal
data must assure the reliability of the data for
their intended use and must take precautions to
prevent misuses of the data. HEW 73
44Information Security Landscape
- Routers, Firewalls, IDS, IPsec, VPNs, etc.
- Overly complex ad hoc no underlying theory of
operation - Stresses disclosure control, not backup and
recovery - Not designed for
- usability
- maintainabiliy
45Physical Security and Information Leakage
- Lots of ways for information to leak out
- Optical emanations
- RF emanations
- Carried out on media
- Discarded equipment
- Most leaked information is ignored and never an
issue - Most leaked information that is an issue is never
discovered!
46Social Engineering
- People are a weak link.
- People can be made stronger
- Training
- Testing
- Improved user interfaces that make social
engineering harder. - The most effective attacks today are automated
social engineering attacks
47Crypto
- Hash functions
- MD5, SHA-1
- Hash Trees
- Symmetric Encryption Algorithms
- DES, RC2, RC4, AES
- Asymmetric Encryption Algorithms
- Diffie-Hellman, RSA, Elliptic-Curve encryption
48Hash Functions
- Collisions Happen
- The longer the hash, the less they happen
- Collisions arent guaranteed
- There may be some D that has a unique hash
49User Authentication
- Passwords
- Visual Passwords
- Pass doodles
- Smart cards tokens
- biometrics
50Biometrics
- Identification Authentication
- Many kinds
- fingerprints
- voice prints
- Handwriting analysis
- Typing analysis
- Face recognition
- Passive vs. Active
- No good theory behind most of them
- Frequently dont tell you what you think that
they do - Many can be faked
51User Authentication II PKI
- Everybody has a private key
- How do you unlock your private key?
- password
- biometric
- House key
- PKI is the basis for secure messaging
52Alternative to PKI Peer-to-peer
- Make people responsible for their own
authentication and security - SSH model vs. SSL model
- Can you do this in a way that doesnt require
user training?
53Worms, Viruses and Trojan Horses
- Theyre bad
- How to 0wn the Internet in Your Spare Time
- Theyre getting worse
- UDP is faster than TCP
- slammer vs. code-red
- bot nets are a growing threat
54Designing for Secure Interaction
- Approach 1 Teach the user
- Approach 2 Have the program teach the user
- Approach 3 Have software that doesnt require
teaching - Inherently secure operation
- Inherently visible operation
- (Is making things visible good enough?)
55RFID
- Its coming
- Lots of misinformation out there
- Whats the real issue
- covert reading?
- database matching?
56Privacy Protecting Technologies
- Crypto is one example
- Anonymity loves a crowd.
- Mix nets is the fundamental technology
- Onion routing
- Anonymous storage systems
57Trusted Computing
- Hardware Software
- Who is the attacker?
- Hand-in-hand with DMCA
- Examples in todays world
- DVDs
- Smart cards
- Watermarking is a different approach